Safeguarding the London 2012 network

Today any high-profile online presence is a magnet for malcontents and computer criminals. So LOCOG (the London Organising Committee of the Olympic and Paralympic Games) knew that London 2012 would be a prime target.

For BT, the London 2012 official communications services partner, security was much more than just a matter of fulfilling its contractual obligations. Given the international importance of the Games any cracks in its electronic defences would affect the organising body, the reputation of BT as a service provider, and the image of the UK.

The Games presented important network security challenges because:

London 2012 was the first time such an event had relied on a single unified IP platform for all its network requirements, meaning any potential weaknesses could be exploited to hack into critical systems

Recent developments – for example, the rise of smartphones, bring-your-own-device, and social media – meant that many of the lessons learned in Beijing in 2008 were only partly applicable to London 2012

Furthermore, LOCOG wanted to give the event’s accredited journalists free and unmonitored network access, effectively making London 2012 the world’s largest bring-your-own-device experience so far.

The task of protecting the network infrastructure fell to, the security and risk management division of BT. The BT team began consulting on the project from 2008 and, by early 2011, was working on potential threat scenarios and war games to devise a full security strategy.

Three security layers for defence in depth

Based on commercial-off-the-shelf products, a three-layer network security architecture was put in place. The first level was software and hardware-based managed perimeter security systems made up of multiple firewall tiers, to ensure hackers could not gain entry through device or vendor-specific vulnerabilities.

The second level of protection involved a series of threat and log management products aimed at detecting data coming from network-based requests that had bypassed the firewalls but might nevertheless be part of malicious activity. This was complemented by BT Security Threat Monitoring, which employs a team of highly-skilled and experienced analysts using proven processes and comprehensive security technology for network incident detection and response.

Finally, a dedicated team of experts in BT security operations centres (SOCs) provided the third level of defence. These specialists – all with backgrounds in network security – worked pro-actively to monitor hacker activity; and reactively to track and counter incoming threats.

Protecting the wider infrastructure

During the course of the Games it became apparent that laptops being used by press agents were harbouring malware. This back-door vulnerability was used to launch botnet attacks on the network. Although the team honoured its commitment not to monitor press activity, it was nevertheless able to trace the malicious traffic back though the network to the relevant device owners and let them know their machines were infected.

Associated with its communications services responsibilities, the team used distributed denial of service (DDoS) mitigation technologies to deflect inbound threats to london2012.com before they could hit the website. Those safeguards were also extended to the content distribution system, which pushed content out to multiple mirrored sites worldwide, enabling users to access the website around the globe. These were complemented by a number of anti-virus and malware detection systems to raise alerts whenever known attack signatures were detected. In addition, the infrastructure was equipped with analysis software to give highly-granular data on user requests.

“Our assumption was that the website would be a prime target for a short time span, which is what happened,” says Phil Packman, General Manager of Security Engineering and Customer Advocacy at BT. “We’ve acquired a lot of experience in protecting clients against these kinds of threats, which was invaluable in designing similar measures to protect the London 2012 website.”

Fending off hackers and all attackers

The LOCOG network was handed over in early 2011 and round-the-clock security commenced on 1st July 2012. “Malicious activity started as soon as the infrastructure went live and increased in line with the amount of traffic,” recalls Phil Packman. “The first concerted attack coincided with the Opening Ceremony.”

As the Games progressed, the team dealt with daily threats, detecting and deflecting all intrusion attempts. In fact, during one early attack there was a peak of 11,000 malicious attempts per second on the network. The majority were traced back to servers in the US, China, and Brazil.

Throughout the entire event, the team collaborated closely with other security and law enforcement agencies, including experts from LOCOG and Olympic partner organisations, while also contributing to and gaining intelligence from daily Olympic Intelligence Centre (OIC) Metropolitan Police briefings. “Our work was part of a much wider effort to protect UK plc and the Olympic and Paralympic brand for the duration of the Games,” concludes Phil Packman. “I’m delighted to say it was a complete success.”

Key facts and figures

The BT security operations team comprises more than 500 people worldwide and some 40 of those in the US, the UK and Australia worked on London 2012, including nine dedicated to the Games around the clock and six engaged in intelligence gathering

Up to 30,000 journalists were given access to the BT infrastructure

The intrusion prevention system monitored and consolidated approximately 120 million network-based daily events into just a handful of trouble tickets for further investigation by the BT Security team

121.6 billion web requests were processed – ten times more than the 2010 Winter Olympics and 223,281 requests per second at the peak

347,200,000 DNS activity requests were processed throughout the Games reaching an average of just over 432 hits per second at the peak

The number of detected malicious site visit attempts rose from around two million a day at the beginning of the Games to a peak of nine million a day